Launch your next mission - Part 4: Supply Chain Management
However, over time the requirements have flowed down to every organization who touches aerospace parts no matter how small or large.
Due to the complex supply chains the aerospace sector now has it is imperative that organizations have a robust supply chain management process to ensure that parts are produced to the highest quality requirements, are on time and are not counterfeit.
No matter where you are in the supply chain you need to ensure that you have adequate controls over your supply base, your focus and attention may just be different depending on where you are as different things are important to different organizations. Risk also plays a fundamental role within the supply chain management process and needs to be considered when evaluating, selecting and monitoring your suppliers.
Evolving the Aerospace Supply Chain
The above shows a typical aerospace supply chain model, the middle tier suppliers typically have design responsibility so you can establish where you are in this chain model.
Depending on where you sit in the chain will determine your focus towards the management system controls.
-
Upper tier-internal and supply chain areas of focus
-
Lower tier-more focused on customer flow-downs and internal evolution towards higher tiers
The challenge that each of these tiers have can arrive from supply chain management weaknesses. For example, if the upper tier suppliers do not stipulate certain control requirements the chances of the lower tier performing anything over and above the contract stipulations is low. This could result in counterfeit parts, poor quality, late delivery etc.
The lower tier may also not be aware of what the final product is used for and the risks associated with the product. I have audited many lower tier organizations that purely rely on what is being flowed to them in the purchase order and assume that if they need to do anything they will do it. Likewise, the upper tier suppliers assume that because their suppliers are AS certified they will be implementing exactly the same controls as they are themselves. If there is not a specific requirement within the standard and there is no regulatory or customer requirement stipulated anywhere then it is hard for an auditor to enforce additional controls unless we have specific reasons.
Every organization has to ensure that they have effective supply chain controls in place to not only meet standard requirements but to evolve their business.
Non-conformances undetected early in the process are often passed through the supply chain causing major disruptions or could even be undetected until an incident occurs. There are critical control points which need to be monitored to prevent these issues.
There are 8 key elements of supply chain management:
-
Supplier approval and surveillance process
-
Contract review process
-
Production planning and First Article Inspection
-
On-going Product and Process Verification
-
Monitoring performance
-
Change management
-
Manufacturing process control
-
Corrective action management
Supplier Approval and Surveillance Process
All organizations need to have a process defined for selecting and approving suppliers including those delegated by customers. Many organizations try to bypass the system when customers have delegated suppliers to use and assume that they do not need to apply controls to these suppliers, this is incorrect. Whether they have been delegated to you or not, each supplier needs to go through the same processes and controls.
If organizations have not defined their suppler approval and surveillance processes effectively then there are often issues with supplied product and service. Not enough thought goes into the approval process and very rarely do we see risk being a factor in this approval and surveillance process.
The process should include clearly defined selection criteria and associated risks based a number of possible factors, including, but not limited to:
-
Customer’s or supplier’s experience with and past performance of the sub-tiers
-
Technical and Manufacturing capability and capacity to produce the commodity in question
-
Resource and financial stability
-
Sub-tier’s ability to meet their customer’s Quality Management System (QMS) requirements, product quality and Supply Chain expectations.
-
Objective and reliable evaluations from external sources, such as Industry Controlled Other
-
Party (ICOP) Accreditations. Should your suppliers hold certain approvals such as AS9100, ISO 9001, AS9120, NADCAP etc.
The selection and approval process should include clearly defined requirements for the management of the supplier’s sub-tiers taking the following into consideration:
-
A documented process for the selection, audit, approval and disapproval of sub-tiers
-
Specific requirements for sub-tiers that do not have ICOP certified quality systems
-
A process for customer directed/approved suppliers
-
A process to flow-down the quality requirements including any customer unique requirements
-
Categorization of sub-tiers based on the scope of approval, (e.g. commodities, processing, design, manufacturing/repair, assembly, raw material, testing, calibration, etc.)
-
Frequency of audits to be performed of the sub-tiers related to type of product, performance or risk
-
The retention of records related to the approval of sub-tiers, e.g. audits results, approved supplier list, action plans, etc.
-
Methodology to determine and manage risks when selecting and using a sub-tier
A more advanced sub-tier management system would include a continuous review to drive improvement of the Supplier Sub-tier and Surveillance Process.
QMS Requirements
This can be an interesting discussion with client organizations, many will send out a questionnaire to suppliers, have them complete and if they have a third party approval they will sign them off and approve them without any other consideration.
There is a difference in management systems stretching from having no external assessments through to AS91xx assessments. And some certificates are not accredited by members of the IAF so are technically not put under the same controls as other certificates. Does this have an impact on the risk associated with the supplier? What happens when certificates expire or organizations let them lapse? Does that mean you stop using the supplier? Does the risk of using the supplier increase? Do they need to hold approvals in order for them to remain as a supplier to your organization?
Sub-tier controls
Consideration should also be given to the sub-tiers of your supplier, do they also need to have a QMS? Is this something you request in your purchase orders and is it something you ensure is in place? Organizations will put flowdown requirements in their purchase orders but what do they do to ensure that this is actually being performed by your suppliers?
There are many factors to consider at one of the most important is the risk factor, are you allowing your suppliers to outsource processes to other organizations, are they allowed to buy material from whomever they wish? What is the risk to the supply chain process?
I often review organizations raw material suppliers and they have the distributors on their approved supplier list. There is rarely any consideration as to where that distributor is purchasing the material from, can they just source the material from any mill in the world or should it be from known sources? Can they purchase from other distributors?
Are these new suppliers known to you, have they got a proven track record with some of your competitors or other known sources? Have they been trading for a number of years or are they fairly new to the industry? How much aerospace work do they currently manufacture for other organizations? What’s the overall percentage of aerospace work they produce?
Supplier surveillance
Organizations should ensure that their process defines the frequency and method of reassessing their suppliers performance and also compliance against requirements. Just because they had an AS9100 certificate when you first approved them doesn’t mean they still hold that approval.
The good thing with AS91xx certified organizations is that you can add them to your OASIS watchlist but there isn’t as a robust system for general ISO certificates (yet).
The frequency and methods will depend largely on the risks associated with that supplier as well as their general performance. I see many organizations just say they will review suppliers during management review meetings once a year without necessarily thinking about the risks of that supplier on your organization and is once a year sufficient?
Put your suppliers into a risk category and monitor them accordingly, if someone is deemed low risk to the business and product then why review them at all. And likewise, a supplier who is high risk to the business and product (if something happens to them you are in trouble) then once a year is probably not sufficient. The risk evaluation process is a multi-pronged approach not just based on performance over the last year. Think of the impact they have on the business and product is something goes wrong.
On-going surveillance needs to be appropriate to the organization, is a desktop review sufficient or should you be performing on site visits? If you have high risk suppliers then you might want to consider audits.
Some of the on-going surveillance audits and assessments could be:
-
Product audits
-
Audits of special and frozen processes
-
Process and special process control audits
-
QMS compliance audits
-
Sub-tier management assessments
New supplier monitoring
New suppliers can pose significant risk to your organization and therefore should be monitored a lot closer during the initial stages of trials. Often you need to approve suppliers to get through into the system and raise purchase orders without receiving any products yet. Does that initial evaluation determine if they are actually good or not, the proof is in the pudding as they say.
Therefore when you have approved new suppliers for initial use think about how you are going to monitor them during those initial orders, are you going to give them a large complex order without trialling on some smaller volume orders which are less risky to your organization? Once they have proved their worth then you can consider a reduction in their risk rating to your business.
Contract review
Hand on heart, this is probably my number 1 NCR. I raise this issue more times than any other requirement of the standards because organizations just do not put enough emphasis on the contract review process.
Many organizations will also blame the supplier but the failures happen at both ends. If you are providing the purchase orders you need to think about ensuring the information is clear and detailed and if you are the receiver of the purchase order you need to ensure that you understand the requirements fully and have all of the information required. Information also needs to be flowed down to sub-tier suppliers, does your organization ensure that this happens effectively?
RFQs
The starting point is the tenders or requests for quotation. The supplier needs to ensure that the scope of work is clear and you have all of the necessary information. Buyers also need to ensure they are not hiding anything, we often see RFQs sent out with limited information and no specifications listed. They get a price, issue the purchase order and then hit the supplier with all these other terms and conditions, specifications and requirements which can add costs and delays. It is not an effective process and is also not very fair as you then hold the suppliers to those prices which puts them under undue pressure and they cut corners.
You need to be transparent and clear in your requirements and suppliers need to ensure they have requested all information. Also consider what information you are passing onto your sub-tier suppliers when obtaining prices and lead times.
Receipt of orders
As stated above, purchase orders or contracts often have other requirements which weren’t stipulated in the RFQ stage. Do not just file the order without fully reviewing the requirements and ensure that you have identified and understood specifications, lead times etc.
In my opinion too many organizations let an administrator position perform this activity and without causing offence they would not necessarily be aware of the technical requirements within a purchase order. They will check for dates, prices and quantities but do they understand any specifications being defined?
When an order is received or even the tender, it should be passed through various departments or kick off meetings held with relevant personnel to ensure that information is clear and fully defined. Purchasing will need to ensure that they can obtain all of the necessary material, parts, processes in time and to requirements.
Quality will need to ensure that they have equipment in place and competent personnel and resources to meet the inspection needs.
Risk analysis is a requirement within the standard, I often see a box with high, medium or low and a tick next to one of them. What do each of these mean and what was the risk evaluation process? A risk analysis should ask the following questions and actions should be taken as necessary:
-
Is this a new part/commodity or a repeat order of the same or similar part/commodity?
-
Could the quantity of the order exceed current production and inspection capacity?
-
Are the required engineering (when applicable) production and inspection capabilities in place?
-
Will the new contract require use of new technology, new process, etc. that will require specific expertise possibly not existing yet in the organization? If yes, are there some training capabilities to ensure adequate expertise is reached?
-
Will it require the use of outsourced processes?
-
Are there regulatory requirements that may not be specifically stated (e.g. trade compliance, National Aviation Authorities, environmental health and safety, labor laws, etc.)?
-
Are product/process and quality assurance requirements understood and in control?
-
Can delivery requirements be consistently met at the right level of quality, on time delivery, and on cost performance?
If there are any conflicts or you need clarification then go back to the customer and ask for these to be addressed. Many times I have seen a specification on a purchase order, the client organization will say it doesn’t apply to them but have no proof to back up the claim. If it’s on the PO or within other specifications referenced then I will be expecting you to be compliant, if it is not meant to be there then have the customer remove the requirement.
This section can go on and is worthy of its own article.
Production Planning and First Article Inspection, Production Process Verification
After the contract review is completed organizations need to define their production plans and include their sub-tiers in the planning process. The detail and depth of the production process verification should be dependent on the risks associated with the product and service which includes the sub-tier requirements.
Organizations need to consider what production verification processes are required by their suppliers and stipulate these requirements. Is a FAIR sufficient or do they need APQPs or PPAPs? Would a control plan be sufficient and who should approve this before full production is underway?
When a production plan has been established certain events can trigger a review of this, do we need to revise the current plans:
-
New product
-
Design change
-
Process changes (incl. tool change, configuration change / verification request, machine change, new inspection methods, etc.)
-
Delivery interruption
-
Production relocation
-
New / Change of sub-tier supplier
-
Requalification, because of Audit findings, change in supplier ranking, loss of certification, etc.
-
Reprogram of software/firmware
On-going Product and Process Verification
Product and process conformance is established during the manufacturing process through process control and in-process inspection with some features and/or records later verified through final inspection. Frequently the methods deployed for final product verification and release are a combination of internal and contractual requirements. Contractual requirements established by suppliers should specify acceptable methods for product verification based on risk. Sub-tiers should also ensure they have established similar requirements for their own sub-tiers.
The supplier has a number of inspection processes to choose from for product verification. To minimize risk, suppliers will frequently use a combination of the processes. The most commonly deployed processes include:
-
Source inspection
-
Receiving inspection
-
Delegated inspection authority
When using any of these processes, the suppliers should clarify product inspection requirements as follows:
-
When complete inspection is required
-
How key characteristics are to be verified, Variation Management of Key Characteristics
-
How hidden or pass-through characteristics are to be verified
-
How and when approved sampling programs can be applied
-
Other methods, (e.g. inclusion of process control records, Cpk values (a measure of process capability), etc.)
Suppliers should establish inspection process or processes to be employed for verification and they should also communicate this to their sub-tiers. Are they allowed to use sampling plans for inspection, what are the risks posed?
Buyers and suppliers should ascertain what inspection methods should be used:
-
Validation at source (source inspection)
-
Receiving inspection (material and components)
-
Delegated inspection programme (third party inspection)
Buyers need to consider what inspection rates should be used and what type of inspection needs to be performed, don’t just assume that a supplier is going to perform 100% inspection on every dimensions. You need to be clear in your stipulations and requirements what is permissible or not.
-
Visual Inspection
-
Dimensional Inspection
-
Functional Testing
-
Material Property Testing
-
Sampling Inspection
-
Documentation Validation
-
Other Inspection Methods
Monitoring of Supplier performance
Organizations need to monitor the performance of their suppliers, that goes without saying, but the level of monitoring should vary depending on risk. The higher the risk to the business (critical suppliers) the more emphasis you should put on the oversight.
Another consideration is to the compliance received to date, more oversight may be required for suppliers who have not been performing as well as expected.
Monitoring sub-tier performance begins with establishing performance standards to be achieved, followed by effective flow down and communication of those expectations throughout the supply chain. Sub-tier performance monitoring can include internal, supplier and independent data (e.g. audits, on-time delivery, escapes, Nadcap, and certification body audit results).
Identify supplier population
Many organizations will put all suppliers into the same bowl without determining which are critical to their business based on several factors. Why focus the same amount of attention onto a non-critical supplier as you do a critical supplier, its wasted effort. Some of the considerations could be:
-
Sub-tiers providing critical parts or processes
-
Sub-tier products and/or services having significant impact on Supplier’s product conformity and/or performance
-
Single source of supply
-
Sub-tiers delivering material directly to a supplier’s customer (i.e. drop shipments)
-
Significant monetary value of orders
-
Geographic location, potential political instability
-
Leading competitive countries, emerging markets
-
Industry changes, (i.e. non-aerospace sources embarking in aerospace opportunities)
One method might be to put each supplier into a pot; critical, non-critical, consumables. Or you could adopt the high, medium, low risk approach. Either way you should end up with 3 separate and distinct groups of suppliers.
Set performance expectations
Each pot should have their own performance criteria. Why should your non-critical need to have 100% OTD and Quality? If you are needing that kind of performance then maybe they are in the wrong pot? By setting different performance requirements for each pot then you can truly see who is under-performing and requires more attention. Don’t focus your efforts on the non-critical and performing suppliers, focus on the suppliers who are having the greatest detrimental impact on the business.
You also need to be clear as to what the performance criteria is and this should be communicated to the suppliers, they need to know what they are being measured against and what levels of performance is required of them. They can’t fix what they don’t know!
Some of the common performance criteria is:
-
Escapes, including self-disclosed (PPM)
-
Product Non-conformances
-
On-Time Delivery Performance
-
Audit Results
-
Percentage of first time through FAIs
-
Source inspection results
-
Receiving inspection results
-
Response to Supplier Corrective Action Requests (SCARs)
Monitoring performance
As mentioned above, don’t treat all your suppliers the same and likewise your frequency should be dependent on the pot they are in. Critical suppliers could get a monthly performance review, non-critical every 6 months and the others maybe just once a year or not at all.
Reporting performance
Performance data should be given to the suppliers, there is nothing to hide and often they know how they are performing anyway, or at least think. Suppliers will need to know how they are performing in order to improve, and if auditors don’t see feedback scorecards it is hard to help you as we go based on their own data which may be different. If we see low performing suppliers we can do something about it so please give scorecards to the suppliers.
And suppliers, make sure you review these and take appropriate action. I often get the excuse “that data is incorrect”, ok, prove it and get it corrected. Your suppliers are monitoring you with a method which may be different to your internal criteria. The customer is king when we are auditing and if they say you are under performing then you are under performing. Do not just accept incorrect data (if you believe incorrect), feed this back to the supplier and ask for clarification or correction.
If you are truly underperforming then get an action plan in place to address the shortfall and work towards it. Organizations should also consider receiving an action plan when suppliers have dropped below the threshold of acceptance. This isn’t just about issuing a SCAR against non-conforming products, the performance criteria is wider than that.
Change Management
This is often overlooked by all parties, a change happens and no one does anything about it. I have seen changes to suppliers take place and no communication up the chain to the customer.
There is a requirement to communicate to your suppliers that they need to inform you of any changes but do you ensure that this is being performed effectively? Hopefully auditors are checking this during the assessment but this is a sample process remember and we are not guaranteed to pick up your parts during an assessment.
If you are changing drawings or parts then think about what you need from your suppliers to demonstrate continued compliance. Do you need a partial FAIR, do you need an updated control plan, do you need to perform an audit? Etc.
Suppliers also need to remember that any change can have an impact on the product or service you are providing so keep in communication with your customer. Sourcing a new supplier, buying a new machine, possibly changing of personnel…
A common mistake is also to assume that your sub-tier suppliers are not changing anything, you may continue to purchase from the same supplier for 10 years but they may switch suppliers in-between without you even knowing. I’ve see this happen and it brought counterfeit parts into the supply chain. The more complex the supply chain the more consideration you need to give to the controls in place.
Proposed changes
The Supplier’s Change Management Process, which should include changes related to: design engineering, frozen processes, change in sub-tier, manufacturing location, special process, implementation of corrective action and process improvement, should be extended to their sub-tiers and comply with the requirements of the contractual customers. Risk assessment and mitigation should be incorporated into the proposal phase of the process along with a communication/notification plan consistent with internal and customer requirements.
Clear flow-down of change notification requirements minimizes opportunities for misinterpretation as well as the introduction of unauthorized and unidentified changes into the process. Therefore, suppliers should be very specific regarding the nature of change and appropriate level of notification required to and from their sub-tiers. Typically, depending on their potential impact, changes will fall into one of the following three categories:
-
Approval
-
Notification
-
Administrative or Editorial
Before any changes are performed you should ensure that the correct approval or notification has been sort.
Implement the Change
When changes have taken place they need to be validated to ensure that the requirements continue to be met and there has been no detrimental impact on the supply. Do you need to perform another FAIR or partial FAIR etc.
Manufacturing Process Controls
No two products or processes are exactly the same; they vary in dimensions, physical properties, performance or a host of other characteristics. The variations may be large or small, but they are always present. The variations exist because all manufacturing and special processes contain sources of variation. Problems occur when the variations exceed the limits set by the engineering requirements and result in non-conformances.
Purchased components and materials may unwittingly interject variation into the process. Hence, manufacturing process control methodologies should be applied throughout the supply chain.
Key characteristics are one of these manufacturing process controls and should be monitored accordingly.
Organizations assume that key characteristics are going to be communicated to them by the customer, many customers assume that the supplier will identify the key characteristics themselves and deal with accordingly. Never Assume!
Your drawings or documentation passed onto the suppliers need to dictate clearly what is expected of the product and what is key to the success. If you don’t communicate what is a critical item or key characteristic then there is a possibility that the supplier is not going to pay particular attention to this.
Suppliers need to also not assume that customers will communicate any key characteristics and determine if there are any you believe should be key based on your own capabilities. You may need to perform PFMEAs, control plans, SPCs etc to control these key characteristics.
Corrective Action
Suppliers should have an effective corrective action process in place to eliminate the causes of a nonconformance in order to prevent reoccurrence. Additionally, it is the responsibility of the supplier to ensure this requirement is flowed down to sub-tiers and to verify the existence of an effective process.
I won’t go into detail on how to address corrective actions but organizations should ensure that when they are issuing out non-conformances they receive back effective root cause and corrective action from their suppliers and even sub-tier suppliers and that the actions have been effective.
Maybe you need to visit the supplier to understand what has gone wrong and help them prevent future occurrences.
If suppliers are not responding then what are the actions you are going to take, do you visit them, do you remove them as a supplier, do you inform your customer (if delegated).